CodeIgniter Forums
csrf_protection in codeigniter 2.0.2 - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: CodeIgniter Archived (from EllisLab) (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forum-23.html)
+--- Thread: csrf_protection in codeigniter 2.0.2 (/thread-53104.html)



csrf_protection in codeigniter 2.0.2 - El Forum - 07-11-2012

[eluser]zoreli[/eluser]
Hi everyone

I have simple login form in codeigniter (2.0.2). Frequently the following error is displayed:

An Error Was Encountered
The action you have requested is not allowed.


After short research I undertand that it is security issue connected with csrf_protection

In the config file my setting is the following:

Code:
$config['csrf_protection'] = TRUE;

My login form is open and closed with use of short tags, like this:

Code:
<?= form_open("/mycontroller/checklogin/process", array("method"=>"post","class"=>"login_form")) ?>

and I am closing the form like this:

Code:
<?= form_close() ?>

Reading on this forum for similar issues I found this solution, which when I implement it, didn't solve my problem:

Code:
<?=form_hidden($this->security->get_csrf_token_name(), $this->security->get_csrf_hash());?>

Error reamin. I am not checking this hidden field in my controller...Have no idea should I??

I also do not run form validation library in my controller. Should I?

Any help will be deeply appreciated.

Regards, Zoreli


csrf_protection in codeigniter 2.0.2 - El Forum - 07-11-2012

[eluser]InsiteFX[/eluser]
I added this to my controller:
Code:
$data = array(
        'csrf_hash' => $this->security->get_csrf_hash(),
        'csrf_name' => $this->security->get_csrf_token_name()
    );

And changed the hidden form field in my view to this:

Code:
<input type="hidden" name="<?php echo $csrf_name; ?>" value="<?php echo $csrf_hash; ?>" />



csrf_protection in codeigniter 2.0.2 - El Forum - 07-11-2012

[eluser]zoreli[/eluser]
Hi

I placed the code and it seemed to worked weill. Until I didn't tested it with Opera. As soon as I did that, bum, the nasty errror message has been displayed. I am getting lost now, really...

After some additional testing I notice that message has been shown only if you are trying first time to login, and you haven't login earlier. Once the cookie has been placed on your computer, it works, before that, you get the error message..

Regards,Zoreli


csrf_protection in codeigniter 2.0.2 - El Forum - 07-11-2012

[eluser]InsiteFX[/eluser]
Nope, I check all my code using IE9, FireFox 13 and Chrome. I did hear that Opera was having alot of problems along with Chrome.

Run Chrome and check the top of these forums.



csrf_protection in codeigniter 2.0.2 - El Forum - 07-11-2012

[eluser]zoreli[/eluser]
Hi

I didn't understand this part:

[quote author="InsiteFX" date="1342055792"]
Run Chrome and check the top of these forums.
[/quote]

Well I am using Chrome right now. Top of which forums?

Regards,Zoreli


csrf_protection in codeigniter 2.0.2 - El Forum - 07-11-2012

[eluser]InsiteFX[/eluser]
These forums look at the top red area with the advanced search.



csrf_protection in codeigniter 2.0.2 - El Forum - 07-11-2012

[eluser]zoreli[/eluser]
HI

After long testing...I am getting error from time to time in all browsers.

That is happening when I clear the cache and history. Then I get error in any browser.

My settings in the config are the following:

$config['csrf_protection'] = TRUE;

$config['csrf_token_name'] = 'one';
$config['csrf_cookie_name'] = 'two';
$config['csrf_expire'] = 7200;

I place the following code in the controller


$data = array(

'csrf_hash' => $this->security->get_csrf_hash(),
'csrf_name' => $this->security->get_csrf_token_name()
);



printing those both variables, return the folowing:

ci_csrf_token
b8c3ab208e59e08228f3b93ad3f38ffa

Any help will be deeply appreciated.

Regards,Zoreli


csrf_protection in codeigniter 2.0.2 - El Forum - 07-12-2012

[eluser]JoostV[/eluser]
When you clear cache and history you may well delete all session cookies as well. Did you check that the session started correctly before the first post? If not the token is not stored in session correctly.

You can easily check if this is the case. Open Firefox and go to the post page; delete all cookies using the Web Developer toolbar; load the page again; check if a session cookie has been set using the Web Developer toolbar.


csrf_protection in codeigniter 2.0.2 - El Forum - 07-12-2012

[eluser]CroNiX[/eluser]
[quote author="InsiteFX" date="1342056890"]These forums look at the top red area with the advanced search.
[/quote]
Looks fine to me.
Chrome (Win7/64) 20.0.1132.57 m


csrf_protection in codeigniter 2.0.2 - El Forum - 07-13-2012

[eluser]InsiteFX[/eluser]
I am running the same version as you CroNix and the blue advanced search button drops below the the inputbox also the username and password forgot password is dropping down a line.

But it works fine in IE9 and FireFox 13